Malware Analysis Report

2025-01-22 18:57

Sample ID 240314-jvcqksgf35
Target c81c03c9e9da5eb997edfb031153fee8
SHA256 d14767f1ed982d7848dc6b5f1cf4748437d355111771e748dfd0f82faaa7ac7f
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d14767f1ed982d7848dc6b5f1cf4748437d355111771e748dfd0f82faaa7ac7f

Threat Level: Known bad

The file c81c03c9e9da5eb997edfb031153fee8 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 07:58

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 07:58

Reported

2024-03-14 08:01

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

"C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe"

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2860-1-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2860-0-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2860-3-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2860-13-0x0000000000400000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

MD5 fcd9be6840b610a712ec007b1047aca9
SHA1 c49f03d0356dbbf65d6778085eb53ef09d658f5a
SHA256 59c0e896949bbc0c6f4e9f2faa6019fc5699fe8289186cdf36fa3b7b77561904
SHA512 8d2b6fda19cb2241da91da055750cfa3c97dd75f8ac37f3fecd3ee67977f9620b6f482760fdaf96c05033e24e76228bee4f072473cbda3600f5ced16f58aaab4

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

MD5 dea7313bffb54d6cb9d479e430b31464
SHA1 3d731fe77ac9b9f4a3b96924d928633bad40bf5d
SHA256 8ef563262f1c1688d1f892dda6de18a473a2135b9077f96cf61f4d6062bcd7fe
SHA512 c410e9fbb57ccfc8a89549d3c85a00838e869361bedfde4e0e46178256cfe5844f6b2e83209750e76efe09b75f567ae61086a4bb2932e1f0939e84f679b9ecd7

memory/2860-16-0x0000000003760000-0x0000000003C47000-memory.dmp

memory/2796-15-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

MD5 6315d3905eefbc5d770866d6abcac4cd
SHA1 d33831b0a3785721064f90b0a282d2f2fb192adc
SHA256 5bfa5b056a2c7986aa1425dd0c472f5e53f1a6694643a4494fef538cafd35e0b
SHA512 b6104be7c7587b0b2d4bb8e5c56fb450a30ea63fe659e4fd82381d80ca4311c224809cb6291a0dbb781bebdf68468b3e2d8fd42d615e6ef68e09f8f9826ba2aa

memory/2796-17-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2796-19-0x0000000000130000-0x0000000000261000-memory.dmp

memory/2796-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2796-25-0x00000000033E0000-0x0000000003602000-memory.dmp

memory/2860-31-0x0000000003760000-0x0000000003C47000-memory.dmp

memory/2796-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 07:58

Reported

2024-03-14 08:01

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

"C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe"

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/3640-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3640-2-0x0000000001CF0000-0x0000000001E21000-memory.dmp

memory/3640-1-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c81c03c9e9da5eb997edfb031153fee8.exe

MD5 6f380628d86f02f100180ef60d8eb00b
SHA1 4c8a5e4671ff4f4598b3dfa13f71c5d9a8befccf
SHA256 3c268172c7a335108617b8f7755b437d012046019c006bf273a92b4ab183021a
SHA512 f6d7e5638060ac572bd03bc372229b969fc5031dc2093dd292b86142bcd0ea28979cad170586c6699293ed8b8e36520a1cf8500ceec3dd976728e30959be3fb7

memory/3640-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4116-13-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4116-14-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4116-16-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/4116-21-0x0000000005590000-0x00000000057B2000-memory.dmp

memory/4116-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4116-28-0x0000000000400000-0x00000000008E7000-memory.dmp